Mobile Payments Risks

The Federal Deposit Insurance Corporation (FDIC) recently published a report in the agency’s “Supervisory Highlights” journal concerning the growth of mobile payments and the responsibility of banks and non-bank third parties to comply with existing laws and regulations. “Mobile Payments, An Evolving Landscape” includes a snapshot of the mobile payments’ market, a brief analysis of current technologies supporting mobile payments, a high-level discussion of risks associated with mobile payments and a summary of the legal and supervisory framework governing mobile payments. The article also raises the specter of disintermediation of bank activity in mobile payments, suggesting the FDIC will both monitor and exert jurisdiction over non-bank companies as they gain market share in the mobile payments space.

Like other federal regulators such as the Federal Reserve and the Federal Trade Commission, the FDIC clearly has its eye on mobile payments. The FDIC’s current interest seems driven by the explosion in smart devices that support POS and cloud payments. The FDIC noted that 87% of the U.S. population now has a mobile phone, and 50% of those are smartphones. The agency observed that 1/3 of mobile phone users reported using their device to make a mobile purchase (including apps) in 2012. In the FDIC’s view, mobile payments present the same types of risks to financial institutions associated with many traditional banking-related products. However, the FDIC cautioned that, depending on the type of mobile payment, “financial institutions may find that the effective management of risks involves partnering with application developers, mobile network operators, handset manufacturers, specialized security firms, and others.” Thus, the FDIC signaled that financial institution should have a review and approval process “sufficiently broad to ensure compliance with internal policies and applicable laws and regulations.” The need to partner with other providers in order to offer a mobile payments solution also may subject such bank partners to federal banking regulatory oversight as an “institution-affiliated party” and oversight by the federal banking regulators and the Consumer Financial Protection Bureau (CFPB) as a “service provider”. (See our prior post on the CFPB’s 2012 guidance concerning service providers here.)

The FDIC specifically noted fraud as a potential concern, emphasizing that the regulatory expectations for mobile payments providers are consistent with financial services delivered through traditional channels. The agency stated that “[n]o safe harbors or carve-outs from coverage for mobile payments exist. Thus, mobile payments providers must determine how to comply with existing legal requirements when the application to mobile payments may not be readily apparent.” The FDIC called out disclosure requirements in particular, noting “creative solutions” may be required given the size of device screens.

The FDIC report includes a matrix of laws and regulations (reproduced below) that may apply to a mobile payments program, along with additional obligations mobile payments providers may face. The matrix, while useful to banks and non-banks alike, should not be viewed as exclusive, however, nor should any stakeholder in mobile payments assume that the FDIC (or any other regulator) will limit its jurisdiction over or interest in mobile payments to the issues and concerns mentioned in the matrix.

Finally, the FDIC report raises the concept of disintermediation, suggesting that banks increasingly may find themselves displaced by non-banks in the mobile payments marketplace, perhaps owing to current inefficiencies in the transaction chain. For example, the agency observed that up to five banks might take different roles in a current transaction. The FDIC’s analysis does not clearly identify new regulatory risks for banks associated with mobile payments disintermediation, nor does the agency offer a particular solution to potential disintermediation concerns from non-bank participation in mobile payments. The FDIC does, however, underscore both the potential commercial consequences to banks of losing direct access to customer information, as well as the need for robust bank oversight of vendors (so-called “third-party relationships”) involved in mobile payments offerings.

While unstated, the FDIC’s potential concern with disintermediation might also be traced to the general unease of regulators with key roles in retail payments migrating to less-regulated players. Such migration may increase risks to consumers, the safety and soundness of participating institutions, and the integrity of the payments system as a whole. The possibility of mobile payments opening up a “shadow banking system” and creating gaps in regulatory coverage is one we can expect regulators to be gauging carefully.